Invention content
In view of the above problems, it is proposed that the present invention overcomes the above problem in order to provide one kind or solves at least partly
State recognition methods and the device of the domain name resolution server danger of problem.
The present invention one is further objective is that the recognition accuracy of malice DNS will be improved.
The present invention another further objective is that improve the exploitativeness of identification malice DNS, the product without big quantity
It is tired.
One side according to the present invention provides a kind of recognition methods of domain name resolution server danger.The domain name
The recognition methods of resolution server danger includes:Obtain home domain name resolution server to be identified (Local DNS, below
Abbreviation local dns) to presetting the obtained analysis result of domain name mapping;The authoritative domain name for determining default domain name according to analysis result takes
Whether the dns resolution request that business device (Authoritative DNS, hereinafter referred to as authorize DNS) receives directly is sent out by local dns
It send, wherein analysis result includes the request source address information by the dns resolution of DNS additions is authorized to ask;If it is not, it determines local
There are malice risks by DNS.
Optionally, DNS is authorized to be configured to the parsing address using the request source address that dns resolution is asked as default domain name;
According to analysis result determine dns resolution that the mandates DNS of default domain name is received ask whether by local dns directly transmit including:
Obtain the address of local dns;Address and parsing address to local dns match;If the address of local dns and parsing address
Matching determines that dns resolution request is directly transmitted by local dns.
Optionally, matching is carried out to the address of local dns and parsing address to include:Compare address and the parsing of local dns
Whether address is identical;If identical, the address of local dns and parsing address matching are determined.
Optionally, matching is carried out to the address of local dns and parsing address to include:Compare the ownership of the address of local dns
Whether the attaching information of information and parsing address is identical, and attaching information includes the attributed region and/or home-operator of address;If
It is identical, determine the address of local dns and parsing address matching.
Optionally, if the address of local dns and parsing address mismatch, method further includes:Identification parsing address whether be
The address of public DNS;If so, promote the risk class of local dns.
Optionally, if the address of local dns and parsing address mismatch, method further includes:Obtain the existence of analysis result
Time value;Judge the lifetime value of analysis result whether no more than the mandate preset life spans of DNS;If it is not, it is promoted local
The risk class of DNS.
Optionally, if the address of local dns and parsing address mismatch, method further includes:Record multiple local dns respectively
Parsing address, generation parsing address list;The number of address appearance is each parsed in statistics parsing address list, and according to secondary
Number is ranked up from high to low;It is promoted using the risk class of the corresponding local dns in parsing address for sorting forward.
According to another aspect of the present invention, a kind of identification device of domain name resolution server danger is additionally provided.It should
The identification device of domain name resolution server danger includes:Acquisition module is configured to obtain local dns to be identified to presetting domain
The analysis result that name parsing obtains;Judgment module is configured to determine what the mandate DNS of default domain name was received according to analysis result
Whether dns resolution request is directly transmitted by local dns, if it is not, local dns are determined there are malice risk, wherein in analysis result
Including the request source address information by the dns resolution of DNS additions is authorized to ask.
Optionally, judgment module includes:Address judging submodule, is configured to:Obtain the address of local dns;To local dns
Address and analysis result in parsing address matched, if the address of local dns and parsing address matching, determine DNS solve
Analysis request is directly transmitted by local dns, and the mandates DNS of default domain name is configured to address using source is asked as the solution for presetting domain name
Analyse address.
Optionally, address judging submodule is additionally configured to:Whether address and the parsing address for comparing local dns are identical;If
It is identical, determine the address of local dns and parsing address matching.
Optionally, address judging submodule is additionally configured to:Compare the attaching information of the address of local dns and compare analytically
Whether the attaching information of location is identical, and attaching information includes the attributed region and/or home-operator of address;If identical, this is determined
The address of ground DNS and parsing address matching.
Optionally, judgment module further includes:Address Recognition submodule, is configured to:Whether identification parsing address is public DNS
Address;If so, promote the risk class of local dns.
Optionally, judgment module further includes:Life span judging submodule, is configured to:When obtaining the existence of analysis result
Between be worth;Judge whether the lifetime value of analysis result consistent no more than the preset life spans of DNS are authorized;If it is not, it carries
Rise the risk class of local dns.
Optionally, the identification device of above-mentioned domain name resolution server danger further includes:Statistical module is configured to:Record
The parsing address of multiple local dns, generation parsing address list;Address appearance is each parsed in statistics parsing result address list
Number, and be ranked up from high to low according to number;It is promoted using the wind of the corresponding local dns in parsing address for sorting forward
Dangerous grade.
The recognition methods of the domain name resolution server danger of the present invention, using local dns to be identified to default domain name
Dns resolution request is initiated, the analysis result that the mandate DNS of the default domain name is returned can reflect the request for sending the analysis request
Source address, since malice DNS can generally ask the dns resolution not in the range of it is distorted to be transmitted to other dns resolution services
Device is on behalf of parsing, therefore whether the request of the dns resolution by judging DNS is authorized to receive is directly transmitted and can be obtained by local dns
Go out whether the dns resolution parses by other dns resolution server generations for forwarding, and further determine that the DNS whether there is and dislike
Meaning risk.
Further, the mandate DNS for presetting domain name is configurable to using the request source address that dns resolution is asked as default
The parsing address of domain name, so as to after analysis result of the default domain name is obtained, directly judge obtained parsing address whether with
The address matching of local dns, it is possible to determine whether local dns complete entire resolving, so as to which obtain local dns is
The recognition result of no malice.
Further, the recognition methods of domain name resolution server danger of the invention, is only used for by setting up one
The test domain name of the request source address of dns resolution request is detected, obtains the basis for estimation of DNS, is used without accumulating a large amount of data
In analysis, identification process is simply easily achieved.
Above description is only the general introduction of technical solution of the present invention, in order to better understand the technological means of the present invention,
And it can be implemented in accordance with the contents of the specification, and in order to allow above and other objects of the present invention, feature and advantage can
It is clearer and more comprehensible, below the special specific embodiment for lifting the present invention.
According to the accompanying drawings to the detailed description of the specific embodiment of the invention, those skilled in the art will be brighter
The above and other objects, advantages and features of the present invention.
Specific embodiment
Algorithm and display be not inherently related to any certain computer, virtual system or miscellaneous equipment provided herein.
Various general-purpose systems can also be used together with teaching based on this.As described above, required by constructing this kind of system
Structure be obvious.In addition, the present invention is not also directed to any certain programmed language.It should be understood that it can utilize various
Programming language realizes the content of invention described herein, and the description done above to language-specific is to disclose this hair
Bright preferred forms.
Fig. 1 is the first use of the identification device of domain name resolution server danger according to an embodiment of the invention
The Organization Chart of environment, DNS frameworks are a level trees, this tree is known as the DNS domain name space, uppermost domain
The name space is referred to as " root node ".Path from top level domain to some subdomain just constitutes a domain name, such as from top level domain
.com its second-level domain Microsoft is arrived, then a domain name is just constituted to the subdomain departmentA of Microsoft
departmentA.microsoft.com.Fig. 1 with access some websites address www.abc.com (below using abc.com as
Example introduce) resolving for briefly introduced.Its flow is:
Step 1, the local dns server that user computer is set in its system sends the request of parsing www.abc.com.
So-called local dns server refers to a DNS service IP address, can be being obtained automatically from operator or manual
Or set by other approach.
Step 2, local dns server can check whether the caching (subsequent implementation of this domain name in the space of oneself
The influence of caching is not considered in example), if not provided, the domain name mapping that www.abc.com will be sent to root server is asked.
Step 3, after root server receives local dns server about the analysis request of domain name, the domain name of analysis request,
Return to the IP address of the server of local server .com this domain name node.
Step 4:Local dns server is sent out after the server ip address of .com top level domain is connected to .com top level domain
Inquire the analysis request of www.abc.com.
Step 5, the top domain servers of .com return to local after receiving about the analysis request of www.abc.com
IP address of the dns server about the dns server of this second-level domain of abc.
Step 6, local dns server continues to initiate about www.abc.com to the dns server of this second-level domain of abc
Analysis request.
Step 7, all subdomain names under the management server management abc.com in this domain of abc.The management server can
To be referred to as to authorize DNS.There is this subdomain name of www in the name space of mandate DNS, and preserve its corresponding parsing letter
Breath, therefore the dns server in abc.com domains can return to the corresponding analysis results of www.abc.com to local dns server.
Step 8, local dns server receives abc.com this domain server about www.abc.com analysis results
Afterwards, user is returned to.
Step 9, user computer begins to ask to this IP after the corresponding IP address of www.abc.com domain names is obtained
Related content.This is arrived, a full request process of analysis of DNS terminates.
In described above, local domain name server (Local DNS) can refer to be configured in subscriber computer
DNS, all dns resolution requests of user are all directly to issue Local DNS, are then handled and are returned by Local DNS
Analysis result.It authorizes DNS that can refer to the DNS to certain domain name with authoritative issue capability, is domain name analysis result on internet
Original source.For example assume that the mandate DNS of domain name " abc.com " is 1.2.3.4, then can be obtained from 1.2.3.4
The analysis result of the authority of " abc.com " subdomain (such as www.abc.com).
The local dns resolving of Fig. 1 introductions is the resolving of normal DNS, and the request of the iterative resolution of entire DNS is equal
It is sent by local dns.The resolving of a large amount of malice DNS is obtained such as to the analysis and research of a large amount of malice DNS by inventor
Shown in Fig. 2, Fig. 2 is second of use of the identification device of domain name resolution server danger according to an embodiment of the invention
The Organization Chart of environment, local dns are malice DNS in the architecture, certain domain names are kidnapped, flow is:
Step A, the local dns server that subscriber computer is set in its system send asking for parsing www.abc.com
It asks;The local dns server is malice DNS, and certain domain names are kidnapped;
After step B, malice DNS receive domain name mapping request, can first check for the www.abc.com domain names of the request is
It is no for the domain name to be kidnapped, if so, performing step C;If it is not, perform step D;
Analysis result that step C, malice DNS are tampered to subscriber computer return or forgery, directs the user to
Specific website, to realize the purpose of malice;
Dns resolution request for non-abduction object, is sent to other normal DNS by step D;
Step E, normal DNS perform more wheel iterative queries, and the mandate dns address of abc.com is obtained from network;
Step F, normal DNS send request analysis www.abc.com to the mandate DNS of abc.com;
The normal analysis result for authorizing DNS returns www.abc.com of step G, abc.com;
The normal analysis result of www.abc.com is transmitted to the local dns of malice by step H, normal DNS;
The normal analysis result of www.abc.com is issued subscriber computer by step J, the local dns of malice.
The local dns of general malice can be seen that only to a other need by the workflow of the local dns of above malice
The object to be kidnapped, return malice kidnap as a result, and normal DNS is transferred on behalf of iterative resolution for most of domain name, to mitigate
Pressure itself, and inventor's analysis obtains, and the forwarding DNS of malice DNS selections is usually common dns server.
For the parsing feature of above malice DNS, an embodiment of the present invention provides a kind of domain name resolution server danger
Identification device 100, user side can be arranged in, passed through to preset for identifying that the dangerous private domain name of DNS carries out
Detection, to realize the identification to name resolution server danger.Fig. 3 is domain name resolution service according to an embodiment of the invention
The schematic diagram of the identification device 100 of device danger, the identification device 100 of domain name resolution server danger in general manner can be with
Including:Acquisition module 110 and judgment module 120.
In the identification device 100 of the domain name resolution server danger of the embodiment of the present invention, acquisition module 110 is configured to
The analysis result that local dns to be identified are obtained to presetting domain name mapping is obtained, the mandate DNS of the default domain name could be provided as
The request source address for directly sending out the secondary DNS request is sent back into request as analysis result or included in analysis result
Source, so as to which analysis result includes the request source address information asked by the dns resolution for presetting domain authorization DNS additions.
Judgment module 120 is configurable to determine that the dns resolution that DNS is authorized to receive of default domain name please according to analysis result
Seeking Truth is no to be directly transmitted by local dns, if it is not, determining local dns, there are malice risks.By above to normal DNS and malice
Respectively analyzing for resolving can be seen that by judging that the request source that dns resolution is asked can obtain sentencing for malice DNS DNS
Disconnected foundation, thus judgment module 120 DNS can be identified to the dns resolution result comprising DNS request source address information received
Danger.
Fig. 4 is the signal of the identification device 100 of domain name resolution server danger in accordance with another embodiment of the present invention
Figure, in this embodiment, the identification device of domain name resolution server danger can increase setting statistical module 130, and sentence
Disconnected module 120 can be provided with:Address judging submodule 122, Address Recognition submodule 124, life span judging submodule
126。
Address using source is asked is configured to as the situation for parsing address for presetting domain name in the mandates DNS of default domain name
Under, address judging submodule 122 is configurable to:Obtain the address of local dns;To in the address and analysis result of local dns
Parsing address matched, if the address of local dns and parsing address matching, determine dns resolution request it is direct by local dns
It sends.
Address judging submodule 122 carries out matched process to the parsing address in the address and analysis result of local dns
It can directly judge to parse address and whether local dns to be identified are consistent, such as compare the address of local dns and parsing address
It is whether identical;If identical, the address of local dns and parsing address matching are determined.
In view of there are more IP on same dns server, in order to avoid wrong report, address judging submodule 122 is also
Whether the attaching information that can compare the address of local dns and the attaching information for parsing address are identical, and attaching information includes address
Attributed region, home-operator;If identical, the address of local dns and parsing address matching are determined.According to the feelings of the country of China
Condition, attributed region can be as accurate as province, and operator includes telecommunications, unicom, movement and Tie Tong etc..If two address differences, but
It is to belong to same province (or a certain region), then it is considered that the two addresses are matched.It is more tightened up, Ke Yijia
On limitation to operator, i.e., if two address differences, but affiliated province (or a certain region) is identical with operation commercial city, that
It is considered matched, else if saving in (or a certain region) or operator as long as there is different so just mismatch.
Since the malice DNS forwarding DNS being commonly used are generally public DNS, utilized so if there is dns resolution request
The situation of public DNS forwardings needs to improve the malice degree of local dns, and therefore, Address Recognition submodule 124 can identify solution
Analyse address whether the address for being public DNS;If so, promote the risk class of local dns.It the address of public DNS can be with preset
Database form be stored in user side or be stored in network side for user side inquire.
Life span judging submodule 126 can obtain the lifetime value of analysis result;Judge the existence of analysis result
Whether time value is no more than the mandate preset life spans of DNS;If it is not, promote the risk class of local dns.
The life span (Time-To-Live, abbreviation TTL) of DNS represents a domain name mapping record on a dns
The time that can be cached.When Local dns servers receive analysis request, parsing will be sent out to domain authorization DNS please
It asks to obtain solution new record;After this record is obtained, record can cache a period of time in Local dns servers,
If being connected to the analysis request of this domain name in this period again, Local DNS no longer will send out request to mandate DNS, but
Directly return to the record obtained just now;And this is recorded in the time for allowing to retain on Local dns servers, is exactly ttl value.
In embodiments of the present invention, TTL can be set as a smaller value, such as 0 by the mandate DNS for presetting domain name
To between 60 seconds, if the TTL in the analysis result that life span judging submodule 126 obtains is more than preset value, with regard to explanation
The information that DNS is returned is authorized to be tampered, danger coefficient increases.
The identification device 100 of more than domain name resolution server danger can be arranged in the client of user side, in work
When making, the analysis request to presetting domain name is initiated, receive the analysis result that default domain authorization DNS is returned and judges the parsing knot
Whether the address in the dns resolution request source included in fruit and local dns to be identified are consistent or belong to the same area (institute possession
Manage region and operator).Whole process is simple, and without the accumulation of big data quantity, accuracy is high.
When needing to detect a batch DNS to be identified, statistical module 130 can record the parsing address of multiple local dns, raw
Into parsing address list;Statistics parsing result address list in each parse address appearance number, and according to number from height to
It is low to be ranked up;It is promoted using the risk class of the corresponding local dns in parsing address for sorting forward.Namely to multiple locals
DNS carries out above-mentioned identification, then according to whether there is multiple local dns to return to last layer of identical outlet IP to judge these
The danger of local dns.
The present invention also provides a kind of recognition methods of domain name resolution server danger, the domain name resolution server is dangerous
The recognition methods of property can by the identification device 100 of any domain name resolution server danger introduced in above example
It performs, to improve the recognition accuracy of malice DNS, identification process is simply easily achieved.Fig. 5 is according to one embodiment of the invention
Domain name resolution server danger recognition methods schematic diagram, the recognition methods packet of domain name resolution server danger
It includes:
Step S502 obtains the analysis result that local dns to be identified are obtained to presetting domain name mapping;
Whether step S504, the dns resolution that DNS is authorized to receive for determining default domain name according to analysis result are asked by local
DNS is directly transmitted;
Step S506, if it is not, determining local dns, there are malice risks.
The mandate DNS of default domain name can add the request source address information of dns resolution request in analysis result, such as
Using the request source address of dns resolution request as the parsing address of default domain name or according to the request source asked dns resolution
Address carries out certain logical calculated, and the parsing address and the request source address of dns resolution request for making default domain name correspond,
So as to subsequent judgement.
The method that step S504 judges to use is exactly to check the request source IP of dns resolution request that DNS is authorized to receive, false
If it is IP4.The address of IP4 and local dns is assumed to be IP1 and is compared, if although the two IP are identical or different
It is that ownership place is identical (belonging to some to save and certain operator), then can be confirmed this local dns not to presetting domain name
Domain name mapping request is forwarded.If two IP differences, and (any one of affiliated province and operator are or not ownership place difference
Together), then exactly forwarded, there is the suspicion of abduction.
For example, DNS is authorized to be configured to the parsing address using the request source address that dns resolution is asked as default domain name;Step
The optional method of rapid S504 is to obtain the address of local dns;Address and parsing address to local dns match;It is if local
The address of DNS and parsing address matching determine that dns resolution request is directly transmitted by local dns.Wherein, to the address of local dns
Matching is carried out with parsing address to include:Whether address and the parsing address for comparing local dns are identical;If identical, local dns are determined
Address and parsing address matching.In addition, the address and parsing address to local dns match and can also include:Compare this
Whether the attaching information of the address of ground DNS and the attaching information of parsing address are identical, and attaching information includes the attributed region of address
And/or home-operator;If identical, the address of local dns and parsing address matching are determined.
If the address of local dns and parsing address mismatch, it can also further identify whether parsing address is public DNS
Address;If so, promote the risk class of local dns.And further obtain the lifetime value of analysis result;Judge parsing
Whether lifetime value as a result is no more than the mandate preset life spans of DNS;If it is not, promote the risk class of local dns.
It is unmatched in the address of local dns and parsing address, a collection of DNS can also be focused on,
The method of the present embodiment can also include:Record the respective parsing address of multiple local dns, generation parsing address list;Statistics
The number of address appearance is each parsed in parsing address list, and is ranked up from high to low according to number;It is promoted using sequence
The risk class of the forward corresponding local dns in parsing address.
It needs to set default domain name first using the recognition methods of the above domain name resolution server danger of the present embodiment
And its DNS is authorized, such as in Fig. 1 and network environment shown in Fig. 2, authorize setting one on DNS special in abc.com
Domain name, it is assumed that for check.abc.com, its TTL is set as 0.When DNS is authorized to receive the request to the domain name, first obtain
Get the source IP address for directly sending out the secondary request, it is assumed that the address be IP2=58.240.56.14, then using the address as
The A records of check.abc.com, which return, to go back.What local dns obtained in this way is exactly that a similar following DNS response records:
Check.abc.com.0IN A 58.240.56.14, this, which records, represents parsing to check.abc.com
58.240.56.14, TTL 0 are recorded to an A.So as to be judged using the analysis result that DNS is authorized to return.
When local dns individual to one (assuming that its address is IP1=58.240.56.14) are identified, Ke Yili
The analysis result of local dns request check.abc.com is obtained with the DNS queries means such as nslookup or dig.Below with
It is introduced for common dig (domain information searcher) order on linux system.It is dig requests check.abc.com below
Analysis result code sample:
The analysis result of the check.abc.com obtained in more than code is IP2=61.190.31.58, with IP1=
58.240.56.14 comparison, two IP are different;Then proceed to inquire ownership place and the operator of the two IP address, IP2's
Information of home location is " Chinese Hefei ,Anhui telecommunications ", and the information of home location of IP1 is " Nanjing, Jiangsu, China unicom ", it can be seen that
The location of the two IP is different, illustrates that current local dns to be identified forward the analysis request of check.abc.com
It has arrived on a server in Nanjing, therefore the DNS may be black DNS, danger coefficient increases.
The TTL returned is continued checking for, it can be found that TTL is changed to 3600 seconds, hence it is evident that more than pre-set 0 second, explanation
The information that DNS is returned is authorized to be tampered, danger coefficient increases.
IP2 is continued checking for whether in common public DNS (such as google DNS, 114DNS, DNS group etc.) list,
If IP2 is in lists, then it is public to illustrate that this Local DNS has been forwarded to the analysis request to check.abc.com
On DNS, danger coefficient increase.
Here is parsing knot of another local dns to be identified (218.247.244.2) to check.abc.com
Fruit:
It can be seen that this is 218.247.244.2 to the analysis results of local dns, two IP are the same, and TTL
It is 0 to be worth, and illustrates that dns resolution request is not forwarded on other servers, and TTL is not tampered with, therefore the local dns
The danger coefficient of (218.247.244.2) is relatively small.
The recognition methods of the domain name resolution server danger of the embodiment of the present invention can also carry out concentration knowledge to a collection of DNS
Not, such as a collection of local dns are detected, can be expressed as list:{ dns1, dns2, dns3 ... }.
First with the detection method to single DNS to be identified of above-mentioned introduction one by one using the DNS in list to default
Domain name sends out dns resolution request, and obtained return IP the results lists are { ip1, ip2, ip3 ... }, are excluded from the list
After the public DNS known, respectively statistics return ipn DNS numbers to be identified obtain corresponding list cnt1, cnt2,
Cnt3 ... }, wherein cnti represents that a total of cnti DNS to be identified returns ipi.If the number that some ip is returned compared with
It is more, then those danger coefficients for returning to the DNS to be identified of the ip increase.
It can be quickly from a large amount of local dns using the recognition methods of the domain name resolution server danger of the present embodiment
The higher DNS of danger coefficient is filtered out, is then aided with other inspection methods and further determines whether it is malice DNS, avoid
The problem of needing to obtain legal analysis result in advance in the prior art.So as to know merely in the preset detection of mandate DNS settings
Other domain name is such as check, it is possible to carry out the dangerous of DNS by analysis result and identify.
The recognition methods of the domain name resolution server danger of the present invention, using local dns to be identified to default domain name
Dns resolution request is initiated, the analysis result that the mandate DNS of the default domain name is returned can reflect the request for sending the analysis request
Source address, since malice DNS can generally ask the dns resolution not in the range of it is distorted to be transmitted to other dns resolution services
Device is parsed on behalf of forwarding, because by judging to authorize the dns resolution of DNS receptions asks whether to be directly transmitted by local dns
Show whether the dns resolution parses, and further determine that the DNS whether there is by other dns resolution server generations for forwarding
Malice risk.
Further, the mandate DNS for presetting domain name is configurable to using the request source address that dns resolution is asked as default
The parsing address of domain name, so as to after analysis result of the default domain name is obtained, directly judge obtained parsing address whether with
The address matching of local dns, it is possible to determine whether local dns complete entire resolving, so as to which obtain local dns is
The recognition result of no malice.
Further, the recognition methods of domain name resolution server danger of the invention, is only used for by setting up one
The test domain name of the request source address of dns resolution request is detected, obtains the basis for estimation of DNS, is used without accumulating a large amount of data
In analysis, identification process is simply easily achieved.
In the specification provided in this place, numerous specific details are set forth.It is to be appreciated, however, that the implementation of the present invention
Example can be put into practice without these specific details.In some instances, well known method, structure is not been shown in detail
And technology, so as not to obscure the understanding of this description.
Similarly, it should be understood that in order to simplify the disclosure and help to understand one or more of each inventive aspect,
Above in the description of exemplary embodiment of the present invention, each feature of the invention is grouped together into single implementation sometimes
In example, figure or descriptions thereof.However, the method for the disclosure should be construed to reflect following intention:I.e. required guarantor
Shield the present invention claims the more features of feature than being expressly recited in each claim.More precisely, as following
Claims reflect as, inventive aspect is all features less than single embodiment disclosed above.Therefore,
Thus the claims for following specific embodiment are expressly incorporated in the specific embodiment, wherein each claim is in itself
Separate embodiments all as the present invention.
Those skilled in the art, which are appreciated that, to carry out adaptively the module in the equipment in embodiment
Change and they are arranged in one or more equipment different from the embodiment.It can be the module or list in embodiment
Member or component be combined into a module or unit or component and can be divided into addition multiple submodule or subelement or
Sub-component.Other than such feature and/or at least some of process or unit exclude each other, it may be used any
Combination is disclosed to all features disclosed in this specification (including adjoint claim, abstract and attached drawing) and so to appoint
Where all processes or unit of method or equipment are combined.Unless expressly stated otherwise, this specification is (including adjoint power
Profit requirement, abstract and attached drawing) disclosed in each feature can be by providing the alternative features of identical, equivalent or similar purpose come generation
It replaces.
In addition, it will be appreciated by those of skill in the art that although some embodiments described herein include other embodiments
In included certain features rather than other feature, but the combination of the feature of different embodiments means in of the invention
Within the scope of and form different embodiments.For example, in detail in the claims, embodiment claimed it is one of arbitrary
It mode can use in any combination.
The all parts embodiment of the present invention can be with hardware realization or to be run on one or more processor
Software module realize or realized with combination thereof.It will be understood by those of skill in the art that it can use in practice
Microprocessor or digital signal processor (DSP) are dangerous to realize domain name resolution server according to embodiments of the present invention
The some or all functions of some or all components in identification device.The present invention is also implemented as performing here
The some or all equipment or program of device of described method are (for example, computer program and computer program production
Product).Such program for realizing the present invention can may be stored on the computer-readable medium or can have one or more
The form of signal.Such signal can be downloaded from internet website to be obtained either providing or to appoint on carrier signal
What other forms provides.
It should be noted that the present invention will be described rather than limits the invention, and ability for above-described embodiment
Field technique personnel can design alternative embodiment without departing from the scope of the appended claims.In the claims,
Any reference mark between bracket should not be configured to limitations on claims.Word "comprising" does not exclude the presence of not
Element or step listed in the claims.Word "a" or "an" before element does not exclude the presence of multiple such
Element.The present invention can be by means of including the hardware of several different elements and being come by means of properly programmed computer real
It is existing.If in the unit claim for listing equipment for drying, several in these devices can be by same hardware branch
To embody.The use of word first, second, and third does not indicate that any sequence.These words can be explained and run after fame
Claim.
So far, although those skilled in the art will appreciate that detailed herein have shown and described multiple showing for the present invention
Example property embodiment, still, without departing from the spirit and scope of the present invention, still can according to the present disclosure directly
Determine or derive many other variations or modifications consistent with the principles of the invention.Therefore, the scope of the present invention is understood that and recognizes
It is set to and covers other all these variations or modifications.
The embodiment of the present invention additionally provides a kind of recognition methods of domain name resolution server danger of A1., including:
Obtain the analysis result that local dns to be identified are obtained to presetting domain name mapping;
Whether the dns resolution that DNS is authorized to receive for determining the default domain name according to the analysis result is asked by described
Local dns directly transmit, wherein the analysis result includes being asked by what the dns resolution of the mandate DNS additions was asked
Seek source address information;
If it is not, determining the local dns, there are malice risks.
A2. the method according to A1, wherein
The mandate DNS is configured to the parsing using the request source address that the dns resolution is asked as the default domain name
Address;
Whether the dns resolution that DNS is authorized to receive for determining the default domain name according to the analysis result is asked by described
Local dns directly transmit including:
Obtain the address of the local dns;
Address and the parsing address to the local dns match;
If the address of the local dns and the parsing address matching, determine the dns resolution request by the local
DNS is directly transmitted.
A3. the method according to A2, wherein, address and the parsing address to the local dns carry out matching packet
It includes:
Whether address and the parsing address for comparing the local dns are identical;
If identical, the address of the local dns and the parsing address matching are determined.
A4. the method according to A2, wherein, address and the parsing address to the local dns carry out matching packet
It includes:
Whether attaching information and the attaching information for parsing address for comparing the address of the local dns are identical, described
Attaching information includes the attributed region and/or home-operator of address;
If identical, the address of the local dns and the parsing address matching are determined.
A5. the method according to any one of A2 to A4, wherein,
If the address of the local dns and the parsing address mismatch, the method further includes:
Identify it is described parsing address whether the address for being public DNS;
If so, promote the risk class of the local dns.
A6. the method according to any one of A2 to A4, wherein,
If the address of the local dns and the parsing address mismatch, the method further includes:
Obtain the lifetime value of the analysis result;
Judge the lifetime value of the analysis result whether no more than the mandate preset life spans of DNS;
If it is not, promote the risk class of the local dns.
A7. the method according to any one of A2 to A4, wherein,
If the address of the local dns and the parsing address mismatch, the method further includes:
Record the respective parsing address of multiple local dns, generation parsing address list;
Count the number that each parsing address occurs in the parsing address list, and according to the number from height to
It is low to be ranked up;
It is promoted using the risk class of the corresponding local dns in parsing address for sorting forward.
In addition, the present invention also provides a kind of identification devices of domain name resolution server danger of B8., including:
Acquisition module is configured to obtain the analysis result that local dns to be identified are obtained to presetting domain name mapping;
Judgment module is configured to determine the dns resolution that DNS is authorized to receive of the default domain name according to the analysis result
Whether request is directly transmitted by the local dns, if it is not, the local dns are determined there are malice risk, wherein the parsing knot
Fruit includes the request source address information asked by the dns resolution of the mandate DNS additions.
B9. the device according to B8, wherein the judgment module includes:
Address judging submodule, is configured to:Obtain the address of the local dns;Address to the local dns and described
Parsing address in analysis result is matched, if the address of the local dns and the parsing address matching, is determined described
Dns resolution request is directly transmitted by the local dns, and the mandate DNS of the default domain name is configured to the ground in the request source
Parsing address of the location as the default domain name.
B10. the device according to B9, wherein described address judging submodule are additionally configured to:
Whether address and the parsing address for comparing the local dns are identical;
If identical, the address of the local dns and the parsing address matching are determined.
B11. the device according to B9, wherein described address judging submodule are additionally configured to:
Whether attaching information and the attaching information for parsing address for comparing the address of the local dns are identical, described
Attaching information includes the attributed region and/or home-operator of address;
If identical, the address of the local dns and the parsing address matching are determined.
B12. the device according to any one of B9 to B11, wherein the judgment module further includes:
Address Recognition submodule, is configured to:Identify it is described parsing address whether the address for being public DNS;If so, promote institute
State the risk class of local dns.
B13. the device according to any one of B9 to B11, wherein the judgment module further includes:
Life span judging submodule, is configured to:Obtain the lifetime value of the analysis result;Judge the parsing knot
Whether the lifetime value of fruit is no more than the mandate preset life spans of DNS;If it is not, promote the risk of the local dns
Grade.
B14. the device according to any one of B9 to B11, further includes:
Statistical module is configured to:Record the parsing address of multiple local dns, generation parsing address list;System
The number that each parsing address occurs in the analysis result address list is counted, and is carried out from high to low according to the number
Sequence;It is promoted using the risk class of the corresponding local dns in parsing address for sorting forward.